acme-client looks in its configuration for a
domain section corresponding to the domain
given as command line argument. It then uses that configuration to retrieve a
TLS certificate. If the certificate already exists and is less than 30 days
from expiry, acme-client will attempt to refresh
the signature. Before a certificate can be requested, an account key needs to
be created using the -A argument. The first time
a certificate is requested, the RSA key needs to be created with
-D.

Challenges are used to verify that the submitter has access to the registered
domains. acme-client only implements the
“http-01” challenge type, where a file is created within a
directory accessible by a locally-run web server. The default challenge
directory /var/www/acme can be served by
httpd(8) with this
location block, which will properly map response challenges: